Would be great to be able to add groups to application owners in AD instead of only users. Scenario is to use on-prem AD synced with Azure to keep management of application roles/groups/etc on-prem for cloud hosted solutions.

Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your web apps).

Right now there is no way to automatize Grant Permissions and it is a manual process at the moment. We confirmed this with the Microsoft Support and Product Teams as well.

If this can be managed via Powershell or API, we would like to include it in our Automation Runbooks and take the work load off of our security teams.

Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your…

From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.

If you don't have access to all requested services you receive the following error:

'AADSTS65005: The application needs access to a service that your organization [Organization name here] has not subscribed to. Please contact your Administrator to review the configuration of your service subscriptions.

I have attached a diagram playing out a simple example. This will not work for ISV's who would like to provide optional integrations as they will need to create an Azure AD application (and associated ASP.NET application instance) per potential combination of Microsoft services a tenant could have, just to work around this issue that permissions are mandatory.

From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.

If you don't have access to all requested services you receive the following error:

'AADSTS65005: The application needs access to a service that your organization…

The v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.

I registered a new application in https://apps.dev.microsoft.com and afterwards it says "This application will be registered in the Azure Active Directory instance used to manage your xxxx@yyyy.zzz account." I can't see it anywhere.

How about providing a link to it instead of hiding it away where I can't find it, that is if it is even actually visible.

Alan, if I understand correctly, you are saying you cannot see the converged apps you registered on apps.dev.microsoft.com in the Azure Portal. Converged apps cannot currently be managed in the Azure Portal, even though they are registered in the Azure AD tenant listed in the message. If you would like to manage converged apps in the Azure Portal, please post that as an idea/suggestion or vote for it once the post exists.

There is a limit to the number of App and\or Service Principal registrations a non-administrative Azure AD user can provision (250). This prevents having the creation of the APP or SP to be automated as soon as that limit is reached. Unfortunately there is no way to determine the number of objects that have been created by a particular account. No such counter is available, and the objects themselves don’t have a “CreatedBy” attribute that you could query. You do not want to assign the automation account user to be granted the Global admin role in Azure AD due to security concerns. Possible solutions are either to allow the non-admin object creation limit to be removed or for the counter to be reset.

There is a limit to the number of App and\or Service Principal registrations a non-administrative Azure AD user can provision (250). This prevents having the creation of the APP or SP to be automated as soon as that limit is reached. Unfortunately there is no way to determine the number of objects that have been created by a particular account. No such counter is available, and the objects themselves don’t have a “CreatedBy” attribute that you could query. You do not want to assign the automation account user to be granted the Global admin role in Azure AD due to…

My customers would love to have a easy approach to list all directory extensions for either a specific group or user with the Azure Portal. Currently they have to use PowerShell (Get-AzureADUser -ObjectId $UserId.ObjectId | Select -ExpandProperty ExtensionProperty) to list all the properties associated with the object. This seems a bit difficult for most supporters and IT pros. I would like to see the ability to list the attributes in the short term and the possibility to edit the attributes in the long term.

A parent company has multiple subsidiaries each having a separate tenant. A multi-tenant application written in house for the group can be used by each subsidiary but is not limited to only those tenants. I request that an element be added to the app manifest that would contain a list of tenants that could use/register the application.

Currently, there exists no powershell commandlet in the MSOnline and AzureAD Module that could give me the list of user settings. It will be a really powerful commandlet. There exists, Get-MsolCompanyInformation, which only renders the partial information, but not all. The rest of the settings like ,1) Users can add gallery apps to their Access Panel 2) Guest users permissions are limited 3) Admins and users in the guest inviter role can invite 4) Members can invite 5) Guests can invite 6) Restrict access to Azure AD administration portal , are still inaccessible via powershell

The apps that I registered in the Microsoft Registration Portal (MRP) are suddenly gone. I can see them in the Azure Portal, and manage Azure AD apps, but converged apps are only seen in Application registrations. From that place I am unable to manage settings for them.
This also happens with newly registered apps in MRP to me and to my colleague, as soon as app is created it is gone from MRP.
When inspecting the web page there are errors in Console:

﻿0cac2641-217e-404f-b402-ae7f6d97a3a7:1 Failed to load resource: net::ERR_FILE_NOT_FOUND
MeControl.js:1 Uncaught TypeError: Failed to execute 'postMessage' on 'Window': The provided value cannot be converted to a sequence.
at Object._pO (MeControl.js:1)
at MeControl.js:1

I was looking for the place to report a bug but only found place to leave feedback here.

The apps that I registered in the Microsoft Registration Portal (MRP) are suddenly gone. I can see them in the Azure Portal, and manage Azure AD apps, but converged apps are only seen in Application registrations. From that place I am unable to manage settings for them.
This also happens with newly registered apps in MRP to me and to my colleague, as soon as app is created it is gone from MRP.
When inspecting the web page there are errors in Console: